Uploaded image for project: 'Bitbucket Cloud'
  1. Bitbucket Cloud
  2. BCLOUD-12195

Webhook HMAC signature (security issue)

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      There is currently no way of authenticating webhooks. While IP whitelisting could work, it is fragile and cumbersome to maintain a list of allowed IP addresses (even if said list is available through an API).

      A simple & proven way of authenticating any kind of payload is to join an HMAC signature with the payload.

      All is required is a shared secret between Bitbucket and the webhook receiver. We should be able to provide said secret on the webhook configuration page (and the API). Then, Bitbucket sends the webhook with the computed HMAC (in a header or within the payload) so that the receiver can check it.

      Please note that this feature is already implemented by Github.

      Attachments

        Issue Links

          Activity

            People

              57465700c4e1 emunday
              42c3211a77d5 Zopieux
              Votes:
              63 Vote for this issue
              Watchers:
              43 Start watching this issue

              Dates

                Created:
                Updated: